From 95cdebcc093508f31b4c9df6e2ffc2d837454946 Mon Sep 17 00:00:00 2001 From: Liang Ding Date: Thu, 23 Jul 2015 16:31:37 +0800 Subject: [PATCH] fix file permission bug --- editor/formatter.go | 3 ++- file/files.go | 41 ++++++++++++----------------------------- output/build.go | 7 +++++++ session/users.go | 16 ++++++++++++++++ static/js/editors.js | 6 ++++-- static/js/tree.js | 9 +++------ static/js/wide.js | 6 +++--- util/go.go | 2 +- 8 files changed, 48 insertions(+), 42 deletions(-) diff --git a/editor/formatter.go b/editor/formatter.go index 1d7ce0b..e0c79e8 100644 --- a/editor/formatter.go +++ b/editor/formatter.go @@ -54,7 +54,8 @@ func GoFmtHandler(w http.ResponseWriter, r *http.Request) { filePath := args["file"].(string) if util.Go.IsAPI(filePath) { - // ignore it + data["succ"] = false + return } diff --git a/file/files.go b/file/files.go index a4bada8..9e83150 100644 --- a/file/files.go +++ b/file/files.go @@ -101,7 +101,7 @@ func GetFilesHandler(w http.ResponseWriter, r *http.Request) { workspaceNode := Node{ Id: filepath.ToSlash(workspacePath), // jQuery API can't accept "\", so we convert it to "/" Name: workspace[strings.LastIndex(workspace, conf.PathSeparator)+1:], - Path: workspacePath, + Path: filepath.ToSlash(workspacePath), IconSkin: "ico-ztree-dir-workspace ", Type: "d", Creatable: true, @@ -134,7 +134,7 @@ func RefreshDirectoryHandler(w http.ResponseWriter, r *http.Request) { r.ParseForm() path := r.FormValue("path") - if !authWorkspace(username, path) { + if !util.Go.IsAPI(path) && !session.CanAccess(username, path) { http.Error(w, "Forbidden", http.StatusForbidden) return @@ -178,7 +178,7 @@ func GetFileHandler(w http.ResponseWriter, r *http.Request) { path := args["path"].(string) - if !authWorkspace(username, path) { + if !util.Go.IsAPI(path) && !session.CanAccess(username, path) { http.Error(w, "Forbidden", http.StatusForbidden) return @@ -252,7 +252,7 @@ func SaveFileHandler(w http.ResponseWriter, r *http.Request) { filePath := args["file"].(string) sid := args["sid"].(string) - if !authWorkspace(username, filePath) { + if util.Go.IsAPI(filePath) || !session.CanAccess(username, filePath) { http.Error(w, "Forbidden", http.StatusForbidden) return @@ -307,7 +307,7 @@ func NewFileHandler(w http.ResponseWriter, r *http.Request) { path := args["path"].(string) - if !authWorkspace(username, path) { + if util.Go.IsAPI(path) || !session.CanAccess(username, path) { http.Error(w, "Forbidden", http.StatusForbidden) return @@ -358,7 +358,8 @@ func RemoveFileHandler(w http.ResponseWriter, r *http.Request) { } path := args["path"].(string) - if !authWorkspace(username, path) { + + if util.Go.IsAPI(path) || !session.CanAccess(username, path) { http.Error(w, "Forbidden", http.StatusForbidden) return @@ -403,14 +404,15 @@ func RenameFileHandler(w http.ResponseWriter, r *http.Request) { } oldPath := args["oldPath"].(string) - if !authWorkspace(username, oldPath) { + if util.Go.IsAPI(oldPath) || + !session.CanAccess(username, oldPath) { http.Error(w, "Forbidden", http.StatusForbidden) return } newPath := args["newPath"].(string) - if !authWorkspace(username, newPath) { + if util.Go.IsAPI(newPath) || !session.CanAccess(username, newPath) { http.Error(w, "Forbidden", http.StatusForbidden) return @@ -466,7 +468,7 @@ func FindHandler(w http.ResponseWriter, r *http.Request) { } path := args["path"].(string) // path of selected file in file tree - if !authWorkspace(username, path) { + if !util.Go.IsAPI(path) && !session.CanAccess(username, path) { http.Error(w, "Forbidden", http.StatusForbidden) return @@ -561,7 +563,7 @@ func walk(path string, node *Node, creatable, removable, isGOAPI bool) { child := Node{ Id: filepath.ToSlash(fpath), // jQuery API can't accept "\", so we convert it to "/" Name: filename, - Path: fpath, + Path: filepath.ToSlash(fpath), Removable: removable, IsGoAPI: isGOAPI, Children: []*Node{}} @@ -844,22 +846,3 @@ func searchInFile(path string, text string) []*Snippet { return ret } - -func authWorkspace(username, path string) bool { - path = filepath.FromSlash(path) - - if strings.HasPrefix(path, util.Go.GetAPIPath()) { - return true - } - - userWorkspace := conf.GetUserWorkspace(username) - workspaces := filepath.SplitList(userWorkspace) - - for _, workspace := range workspaces { - if strings.HasPrefix(path, workspace) { - return true - } - } - - return false -} diff --git a/output/build.go b/output/build.go index f541a2d..e2a2f0f 100644 --- a/output/build.go +++ b/output/build.go @@ -59,6 +59,13 @@ func BuildHandler(w http.ResponseWriter, r *http.Request) { sid := args["sid"].(string) filePath := args["file"].(string) + + if util.Go.IsAPI(filePath) || !session.CanAccess(username, filePath) { + http.Error(w, "Forbidden", http.StatusForbidden) + + return + } + curDir := filepath.Dir(filePath) fout, err := os.Create(filePath) diff --git a/session/users.go b/session/users.go index 07d8c67..b61fd9e 100644 --- a/session/users.go +++ b/session/users.go @@ -305,6 +305,22 @@ func FixedTimeSave() { }() } +// CanAccess determines whether the user specified by the given username can access the specified path. +func CanAccess(username, path string) bool { + path = filepath.FromSlash(path) + + userWorkspace := conf.GetUserWorkspace(username) + workspaces := filepath.SplitList(userWorkspace) + + for _, workspace := range workspaces { + if strings.HasPrefix(path, workspace) { + return true + } + } + + return false +} + func getOnlineUsers() []*conf.User { ret := []*conf.User{} diff --git a/static/js/editors.js b/static/js/editors.js index 71d3017..e66a9d9 100644 --- a/static/js/editors.js +++ b/static/js/editors.js @@ -335,6 +335,7 @@ var editors = { }, _initCodeMirrorHotKeys: function () { CodeMirror.registerHelper("hint", "go", function (editor) { + editor = wide.curEditor; // 使用当前编辑器覆盖实参,因为异步调用的原因,实参不一定正确 var word = /[\w$]+/; var cur = editor.getCursor(), curLine = editor.getLine(cur.line); @@ -415,7 +416,7 @@ var editors = { } editor.doc.markClean(); - $(".edit-panel .tabs > div.current > span").removeClass("changed"); + $(".edit-panel .tabs .current > span:eq(0)").removeClass("changed"); } }); @@ -756,7 +757,7 @@ var editors = { // 新建一个编辑器 Tab,如果已经存在 Tab 则切换到该 Tab. newEditor: function (data, cursor) { var id = wide.curNode.id; - + editors.tabs.add({ id: id, title: ' input").val(); - request.path = wide.curNode.path + config.pathSeparator + name; + request.path = wide.curNode.path + "/" + name; request.fileType = "f"; $.ajax({ @@ -214,7 +214,7 @@ var wide = { var name = $("#dialogNewDirPrompt > input").val(), request = newWideRequest(); - request.path = wide.curNode.path + config.pathSeparator + name; + request.path = wide.curNode.path + "/" + name; request.fileType = "d"; $.ajax({ @@ -300,7 +300,7 @@ var wide = { var goFileHTML = ''; for (var i = 0, max = data.founds.length; i < max; i++) { var path = data.founds[i].path, - name = path.substr(path.lastIndexOf(config.pathSeparator) + 1), + name = path.substr(path.lastIndexOf("/") + 1), icoSkin = wide.getClassBySuffix(name.split(".")[1]); if (i === 0) { goFileHTML += '